ITIL & COBITO6PLMKevin Lisay – 1501147113Rendy Winarta – 1501149226Steven Ekaputranto - 1501148362Stefani Trifosa – 1501158893Gladys Natalia – 1501165476

Background Information Technology is a thing that can’t be

missed in this modern world. Effectiveness and efficiency that IT offers are great and gives so much benefit. Any company especially the big one can’t endure to use IT nowadays.

In order to make the structure of IT operates really well, many of company use ITIL (Information Technology Infrastructure Library), which is a set of document a set of documents which defines best practices and accepted techniques in Information Technology community. Also COBIT (Control objectives for information and related technology) that helps top tier user (managers, IT professionals and assurance professionals) develop IT itself.

Scope

1. Implementation of Information Technology Infrastructure Library.

2. Implementation of Control Objective for Information and Related Technology.

3. Differences between Information Technology Infrastructure Library and Control Objective for Information and Related Technology.

What is ITIL (Information Technology Infrastructure Library)ITIL is the most widely adopted

approach for IT Service Management in the world. It provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.

COBIT? (Control objectives for information and related technology)A model designed to control the IT

function. This model was originally developed by the Information System Audit and control foundation (ISACF).

COBIT support IT governance by providing a comprehensive description of the control objectives for IT processes and by offering the possibility of examining the maturity of these processes.

Implementation of Information Technology Infrastructure Library.

1.Process Implementation

Objective The objective of this document is to provide a template for

developing process implementation plans that will be usable across a wide range of diverse organizations

Program Management

2. Process Implementation Projects

Process, People And Technology (The Integrated Project Plan)◦ Project Timelines◦ Expected Project Deliverables

Implementation Roles◦ Process Owner◦ Core Process Team◦ Stakeholder Groups And Subject Matter Experts◦ Internal and External Process Advisors

Pink Elephant Consulting RolesHigh Level Process Model Development

3. Process Embedding Strategy

Process Workshops / Training◦ Develop Lesson Plans◦ Schedule Workshop And Process Embedding Date◦ Coaching Period◦ Initial Process Review And Adjustment

Detailed Activities (Project Check List)◦ People Involved◦ Awareness Campaign◦ Systems Implementation Activities◦ Support Tools◦ Post Implementation and Audit◦ Other Considerations

4. Evaluationof The Project

Post Project ReviewAuditing Using Quality

Parameters◦Generic Quality Parameters for IT

Service Management◦Process Specific Quality Parameters

for IT Service Management

Implementation of Control Objective for Information and Related Technology.

1. BackgroundThe bank in the given case is a global

conglomerate with operations in more than 50 countries and with more than 125,000 employees across the globe. The bank’s technology teams are located throughout the world to support global lines of business. The IT teams include development centers that are part of the bank and others that are outsourced to vendors, as well as technology back offices that support IT infrastructure and services. The bank had a history of multiple governance and assurance templates and processes followed by different teams, regions and locations. Hence, the key challenge was to create a common governance and assurance process across technology teams.

2. Use of COBITDefining a framework to use—

Control objective framework (COF)

Identifying a standard definition of ‘entities’ against which risks and controls were to be evaluated—Key entity management model

Identifying a risk management process—Risk and control assessment (RCA)

Defining COF It should act as a tool to facilitate the effective

assessment of risks and controls within technology.

It should act as a reporting framework to demonstrate how technology satisfies reporting regulatory requirements, including those of Sarbanes-Oxley.

It should act as an aid to drive management assurance.

The steps in implementing COF using COBIT included:

Identify principal risks Identify level II risks Identify control objectives

Benefit of Defining COF

Prior to implementing this framework, each entity, organization and location had its own set of controls. COBIT helped in developing and managing a single list of controls for each type of risk through the mapping of needed controls to COBIT. In turn, this assisted with the attestation of each type of risk, which provided confidence to senior executives on the reporting and attestation process. Subsequently, a risk assessment process was developed to define risks and controls. This helped in ensuring that adequate controls were deployed to cover the principal risks and level II risks.

Identifying Entities for Managing Risks and Controls◦Process entities◦Supporting services entities◦Technology entities◦Project entities

Defining and Implementing the RCA Process

Training Key Stakeholders

One of the main challenges was to explain the entire process to all of the stakeholders with different backgrounds and understanding of risks and controls and at various locations. The challenge was managed by creating additional training programs at various levels.

Differences Between ITIL and COBIT

- ITIL - COBITControl FocusedUses IT MetricsUsed by auditors in

SOXCritical Success

FactorsIncludes a

discussion of qualityIncludes a

discussion of process maturity

Strong concentration on processes

Security is a very important component

Focused on service delivery

Has a broad base of adopting organizations with lessons learned

Has an organization certification schema

Here is a table explaining COBIT, ITIL, and one other framework (CMMi) for SOX :

Another table describing COBIT, ITIL, another framework (CMMi) for non-SOX Objectives